Join Log in
Score:0
Stevo avatar Server

open vpn iptables script intermittantly failing

fk flag
Stevo

I am new to vpn setup and iptables and i have a basic understanding of networking, but am by no means a networking expert.

I am setting up a openvpn router so that i have remote access to the plc's that sit behind the router. I am doing this with the openvpn cloud service Cloud Connexa. Locally, the plc's have ip addresses in the 192.168.1.* range. When I access the devices remotely i would like them to have addresses in the 10.20.2.* range. i.e. in my browser on my pc, after i connect to the vpn, when i type in 10.20.2.19 it will show me the web interface for the plc at 192.168.1.19. A diagram of my network setup is shown here. network setup

Currently this is working, however from time to time, when i try to connect to devices on the network, I am unable to see the devices. To trouble shoot this I have added additional vpn tunnels to the device using different openvpn services. This allows me to access the router via a ssh connection or via the modems web interface. When i am unable to connect to the devices on the network i can see that the openvpn connection to the router is up an running on both the cloud connexa status page and I can also see that the openvpn connection is running on the router (if i access the router using a second vpn service).

So I know my issue is not the telecommunication connection between the openvpn service and the router, nor is it an authentication issue, but my issue is a ip routing or mapping issue.

My router has a script which runs as part of the route-up option in openvpn on the device. The script has the following lines

#!/bin/sh
iptables -t nat -D PREROUTING -d '10.20.2.0/24' -i vpn1 -j NETMAP --to '192.168.1.0/24'
iptables -t nat -I PREROUTING -d '10.20.2.0/24' -i vpn1 -j NETMAP --to '192.168.1.0/24'
iptables -t nat -D POSTROUTING -s '192.168.1.0/24' -o vpn1 -j NETMAP --to '10.20.2.0/24'
iptables -t nat -I POSTROUTING -s '192.168.1.0/24' -o vpn1 -j NETMAP --to '10.20.2.0/24'
iptables -t nat -D POSTROUTING -o lan1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o lan1 -j MASQUERADE
#---------------------- for SNMP ---------------------------------------
iptables -t nat -D POSTROUTING ! -p icmp -s 172.16.0.0/16 -o vpn1 -j SNAT --to-source 10.20.2.234
iptables -t nat -I POSTROUTING ! -p icmp -s 172.16.0.0/16 -o vpn1 -j SNAT --to-source 10.20.2.234
#---------------------- for SNMP end -----------------------------------

I did not write the script, but i have copied it and edited it from a previous working openvpn connection. My understanding of the script is as follows. The first 2 lines of the script say that any traffic that comes in external to the router, and is bound for the 10.20.2.* address should be remapped to 192.168.1.* addresses. The next to lines say that any traffic that leaves the router and comes from the 192.168.1.* addresses should appear to have come the 10.20.2.* addresses. I dont quite understand the next two lines (with masquerade), but my understanding is that these lines make the local area network appear to be part of the vpn connection?

The last two lines is where I think I have an issue, mostly because i do not understand what they do. These lines are commented in between --for snmp --- these lines refer to the 172.16.0.0./16 network and i do not know what this network is? I feel like I should change this to be 100.96.1.32/28, as this is the ipaddress assigned to my openvpn network, but i really don't understand what this iptables entry is trying to achieve.

Using ssh i have been able to shell into the router and check the iptables entries on the router when the devices are not visable using (iptables -t nat -n -L). When this occurs, I can see that the

 NETMAP     all  --  0.0.0.0/0            10.20.2.0/24        192.168.1.0/24

rule is not in the iptables as i expect and so i think that my scripup script is somehow failing.

I was hoping that someone with a better understanding of vpn and routing tables could help me

  1. understand what the last two lines are doing?
  2. Work out if these lines are the cause of my devices not being able to be periodically accessed, or if I should be looking somewhere else to find out what might be the cause of my issue.

Cheers,

47
1 + 0
Score:0
Martin avatar Server
kz flag
Martin

first of all, SNMP is a protocol to query / modify certain settings over the network. It looks like the router supports SNMP, and to be able to use SNMP over the VPN connection, this line says "for all traffic (except for the ICMP protocol) which is coming from the network 172.16.0.0/16 and is going inside the VPN connection, modify the source address to 10.20.2.234". This has nothing to do with your VPN connection - reading your description, you do not use the network range 172.16.0.0/16 - therefore those rules never match and never get applied.

Generally speaking, iptables -D is deleting the specified rule if it exists, and iptables -I is inserting a rule at the top of the tables ruleset. These duplicates exist probably inside the script to avoid errors, if these iptables-rules already exist.

The MASQUERADE rule replaces the source address of all traffic going out of the lan1 interface with the address of this interface. I do not know what kind of interface this is, my guess is a local network connection.

An outline of which interface of the router is doing what would be helpful for understanding those iptables rules. For example: Does your VPN connection always have the interface name vpn1? Usually, those numbers are: vpn0 for the first connection, vpn1 for the second, etc.

One reason for your connection issues could be that the VPN connection of your router is being established from time to time with a different interface name...

+ 3
Stevo avatar
fk flag
Stevo
Thanks Martin. I missed the ! in the -icmp line. Your explanation is excellent and greatly appreciated. To answer your questions. 1. The lan1 interface is a local ethernet network. It is the network that connects to the PLC's. 2. The vpn does always have the same name. The names are vpn0, vpn1 and vpn2. i will check this next time that i have a failure to see if there is a different name listed.
0
Reply
Stevo avatar
fk flag
Stevo
Is there any significance to the 172.16.0.0/16 address for SNMP. Is this a common or known ip range for SNMP, or could this address be something that is specific to my cloud vpn server? I'm wondering if i should change this address to be my cloud vpn server address (which is 100.96.1.* ) or if there is a known SNMP ip address that i should put in this rule, or should I just comment out the filter as it isnt being used?
0
Reply
Martin avatar
kz flag
Martin
There are no network ranges with significance for SNMP, and your cloud vpn server probably has a public external IP, and not an IP from a private network range (172.16.0.0/16 is a private network). The network range reminds me of a docker default network (which is 172.17.0.0/16), but this might be a coincidence.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.